aes128.test.cpp

Go to the documentation of this file.

#include "aes128.hpp"
#include "barretenberg/circuit_checker/circuit_checker.hpp"
#include "barretenberg/crypto/aes128/aes128.hpp"
#include "barretenberg/numeric/bitop/sparse_form.hpp"
#include "barretenberg/stdlib/primitives/plookup/plookup.hpp"
#include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp"
 
#include <gtest/gtest.h>
 
using namespace bb;
 
// Helper function to create field element as either constant or witness
stdlib::field_t<UltraCircuitBuilder> create_field_element(UltraCircuitBuilder& builder,
                                                          const uint256_t& value,
                                                          bool as_witness)
{
    if (as_witness) {
        return stdlib::field_t<UltraCircuitBuilder>(stdlib::witness_t(&builder, fr(value)));
    } else {
        return stdlib::field_t<UltraCircuitBuilder>(value);
    }
}
 
// Helper function to convert byte array to uint256_t
uint256_t convert_bytes_to_uint256(const uint8_t* data)
{
    uint256_t converted(0);
    for (uint64_t i = 0; i < 16; ++i) {
        uint256_t to_add = uint256_t((uint64_t)(data[i])) << uint256_t((15 - i) * 8);
        converted += to_add;
    }
    return converted;
}
 
// Test function for a specific combination of witness/constant inputs
void test_aes128_combination(bool key_as_witness, bool iv_as_witness, bool input_as_witness)
{
    typedef stdlib::field_t<UltraCircuitBuilder> field_pt;
 
    uint8_t key[16]{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
    uint8_t out[64]{ 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46, 0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
                     0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee, 0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
                     0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b, 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
                     0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09, 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7 };
    uint8_t iv[16]{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
    uint8_t in[64]{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
                    0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
                    0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
                    0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 };
 
    auto builder = UltraCircuitBuilder();
 
    // Create input blocks with specified witness/constant configuration
    std::vector<field_pt> in_field;
    for (size_t i = 0; i < 4; ++i) {
        in_field.push_back(create_field_element(builder, convert_bytes_to_uint256(in + i * 16), input_as_witness));
    }
 
    // Create key and IV with specified witness/constant configuration
    field_pt key_field = create_field_element(builder, convert_bytes_to_uint256(key), key_as_witness);
    field_pt iv_field = create_field_element(builder, convert_bytes_to_uint256(iv), iv_as_witness);
 
    // Expected results
    std::vector<fr> expected{ convert_bytes_to_uint256(out),
                              convert_bytes_to_uint256(out + 16),
                              convert_bytes_to_uint256(out + 32),
                              convert_bytes_to_uint256(out + 48) };
 
    // Run AES encryption
    const auto result = stdlib::aes128::encrypt_buffer_cbc(in_field, iv_field, key_field);
 
    // Verify results
    for (size_t i = 0; i < 4; ++i) {
        EXPECT_EQ(result[i].get_value(), expected[i])
            << "Combination: key=" << (key_as_witness ? "witness" : "constant")
            << ", iv=" << (iv_as_witness ? "witness" : "constant")
            << ", input=" << (input_as_witness ? "witness" : "constant");
    }
 
    // Verify circuit is valid (only if there are witnesses)
    if (key_as_witness || iv_as_witness || input_as_witness) {
        bool proof_result = CircuitChecker::check(builder);
        EXPECT_EQ(proof_result, true) << "Circuit check failed for combination: key="
                                      << (key_as_witness ? "witness" : "constant")
                                      << ", iv=" << (iv_as_witness ? "witness" : "constant")
                                      << ", input=" << (input_as_witness ? "witness" : "constant");
    }
}
 
// Test function for mixed input blocks (some constant, some witness)
void test_aes128_mixed_input(bool key_as_witness, bool iv_as_witness, const std::vector<bool>& input_block_config)
{
    typedef stdlib::field_t<UltraCircuitBuilder> field_pt;
 
    uint8_t key[16]{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
    uint8_t out[64]{ 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46, 0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
                     0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee, 0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
                     0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b, 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
                     0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09, 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7 };
    uint8_t iv[16]{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
    uint8_t in[64]{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
                    0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
                    0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
                    0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 };
 
    auto builder = UltraCircuitBuilder();
 
    // Create input blocks with mixed witness/constant configuration
    std::vector<field_pt> in_field;
    for (size_t i = 0; i < input_block_config.size(); ++i) {
        in_field.push_back(create_field_element(builder, convert_bytes_to_uint256(in + i * 16), input_block_config[i]));
    }
 
    // Create key and IV with specified witness/constant configuration
    field_pt key_field = create_field_element(builder, convert_bytes_to_uint256(key), key_as_witness);
    field_pt iv_field = create_field_element(builder, convert_bytes_to_uint256(iv), iv_as_witness);
 
    // Expected results
    std::vector<fr> expected;
    for (size_t i = 0; i < input_block_config.size(); ++i) {
        expected.push_back(convert_bytes_to_uint256(out + i * 16));
    }
 
    // Run AES encryption
    const auto result = stdlib::aes128::encrypt_buffer_cbc(in_field, iv_field, key_field);
 
    // Verify results
    for (size_t i = 0; i < result.size(); ++i) {
        EXPECT_EQ(result[i].get_value(), expected[i]) << "Mixed input test failed for block " << i;
    }
 
    // Verify circuit is valid (only if there are witnesses)
    bool has_witness = key_as_witness || iv_as_witness;
    for (bool is_witness : input_block_config) {
        if (is_witness) {
            has_witness = true;
            break;
        }
    }
 
    if (has_witness) {
        bool proof_result = CircuitChecker::check(builder);
        EXPECT_EQ(proof_result, true) << "Circuit check failed for mixed input test";
    }
}
 
TEST(stdlib_aes128, encrypt_64_bytes_all_witness)
{
    test_aes128_combination(true, true, true);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_all_constant)
{
    test_aes128_combination(false, false, false);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_key_witness_iv_constant_input_constant)
{
    test_aes128_combination(true, false, false);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_key_constant_iv_witness_input_constant)
{
    test_aes128_combination(false, true, false);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_key_constant_iv_constant_input_witness)
{
    test_aes128_combination(false, false, true);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_key_witness_iv_witness_input_constant)
{
    test_aes128_combination(true, true, false);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_key_witness_iv_constant_input_witness)
{
    test_aes128_combination(true, false, true);
}
 
TEST(stdlib_aes128, encrypt_64_bytes_key_constant_iv_witness_input_witness)
{
    test_aes128_combination(false, true, true);
}
 
// Original test for backward compatibility
TEST(stdlib_aes128, encrypt_64_bytes_original)
{
    typedef stdlib::field_t<UltraCircuitBuilder> field_pt;
    typedef stdlib::witness_t<bb::UltraCircuitBuilder> witness_pt;
 
    uint8_t key[16]{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
    uint8_t out[64]{ 0x76, 0x49, 0xab, 0xac, 0x81, 0x19, 0xb2, 0x46, 0xce, 0xe9, 0x8e, 0x9b, 0x12, 0xe9, 0x19, 0x7d,
                     0x50, 0x86, 0xcb, 0x9b, 0x50, 0x72, 0x19, 0xee, 0x95, 0xdb, 0x11, 0x3a, 0x91, 0x76, 0x78, 0xb2,
                     0x73, 0xbe, 0xd6, 0xb8, 0xe3, 0xc1, 0x74, 0x3b, 0x71, 0x16, 0xe6, 0x9e, 0x22, 0x22, 0x95, 0x16,
                     0x3f, 0xf1, 0xca, 0xa1, 0x68, 0x1f, 0xac, 0x09, 0x12, 0x0e, 0xca, 0x30, 0x75, 0x86, 0xe1, 0xa7 };
    uint8_t iv[16]{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
    uint8_t in[64]{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
                    0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
                    0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
                    0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 };
 
    const auto convert_bytes = [](uint8_t* data) {
        uint256_t converted(0);
        for (uint64_t i = 0; i < 16; ++i) {
            uint256_t to_add = uint256_t((uint64_t)(data[i])) << uint256_t((15 - i) * 8);
            converted += to_add;
        }
        return converted;
    };
 
    auto builder = UltraCircuitBuilder();
 
    std::vector<field_pt> in_field{
        witness_pt(&builder, fr(convert_bytes(in))),
        witness_pt(&builder, fr(convert_bytes(in + 16))),
        witness_pt(&builder, fr(convert_bytes(in + 32))),
        witness_pt(&builder, fr(convert_bytes(in + 48))),
    };
 
    field_pt key_field(witness_pt(&builder, fr(convert_bytes(key))));
    field_pt iv_field(witness_pt(&builder, fr(convert_bytes(iv))));
 
    std::vector<fr> expected{
        convert_bytes(out), convert_bytes(out + 16), convert_bytes(out + 32), convert_bytes(out + 48)
    };
 
    const auto result = stdlib::aes128::encrypt_buffer_cbc(in_field, iv_field, key_field);
 
    for (size_t i = 0; i < 4; ++i) {
        EXPECT_EQ(result[i].get_value(), expected[i]);
    }
 
    std::cout << "num gates = " << builder.get_num_finalized_gates_inefficient() << std::endl;
 
    bool proof_result = CircuitChecker::check(builder);
    EXPECT_EQ(proof_result, true);
}
 
// Mixed input tests - different combinations of constant/witness blocks
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_first_witness_rest_constant)
{
    test_aes128_mixed_input(false, false, { true, false, false, false });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_alternating_witness_constant)
{
    test_aes128_mixed_input(false, false, { true, false, true, false });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_first_constant_rest_witness)
{
    test_aes128_mixed_input(false, false, { false, true, true, true });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_key_witness_mixed_blocks)
{
    test_aes128_mixed_input(true, false, { true, false, true, false });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_iv_witness_mixed_blocks)
{
    test_aes128_mixed_input(false, true, { false, true, false, true });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_key_iv_witness_mixed_blocks)
{
    test_aes128_mixed_input(true, true, { true, false, true, false });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_all_witness_blocks)
{
    test_aes128_mixed_input(false, false, { true, true, true, true });
}
 
TEST(stdlib_aes128, encrypt_64_bytes_mixed_input_all_constant_blocks)
{
    test_aes128_mixed_input(false, false, { false, false, false, false });
}
 
// ============================================================================
// Sparse Form XOR Tests
// ============================================================================
// In AES circuits, XOR is performed via addition in base-9 sparse form:
//   - Each bit of a byte becomes a digit (0 or 1) in a base-9 number
//   - Adding two sparse values: digits become 0, 1, or 2
//   - Normalization maps: even digits → 0, odd digits → 1 (exactly XOR semantics)
//
// This allows XOR to be computed as: sparse(a) + sparse(b), then normalize
// ============================================================================
 
constexpr uint64_t AES_SPARSE_BASE = 9;
 
TEST(stdlib_aes128_sparse, sparse_form_roundtrip)
{
    // Test all possible byte values
    for (uint64_t byte = 0; byte < 256; ++byte) {
        uint256_t sparse = numeric::map_into_sparse_form<AES_SPARSE_BASE>(byte);
        uint64_t recovered = numeric::map_from_sparse_form<AES_SPARSE_BASE>(sparse);
        EXPECT_EQ(recovered, byte) << "Roundtrip failed for byte 0x" << std::hex << byte;
    }
}
 
TEST(stdlib_aes128_sparse, sparse_addition_equals_xor_native)
{
    // Test a variety of byte pairs
    std::vector<std::pair<uint8_t, uint8_t>> test_cases = {
        { 0x00, 0x00 }, // 0 XOR 0 = 0
        { 0xFF, 0x00 }, // FF XOR 0 = FF
        { 0xFF, 0xFF }, // FF XOR FF = 0
        { 0xAA, 0x55 }, // Alternating bits: AA XOR 55 = FF
        { 0x0F, 0xF0 }, // 0F XOR F0 = FF
        { 0x12, 0x34 }, // Random: 12 XOR 34 = 26
        { 0x2b, 0x6b }, // From AES test vectors: key[0] XOR plaintext[0]
    };
 
    for (const auto& [a, b] : test_cases) {
        uint8_t expected_xor = a ^ b;
 
        // Convert to sparse form
        uint256_t sparse_a = numeric::map_into_sparse_form<AES_SPARSE_BASE>(a);
        uint256_t sparse_b = numeric::map_into_sparse_form<AES_SPARSE_BASE>(b);
 
        // Add in sparse form (this is the circuit operation)
        uint256_t sparse_sum = sparse_a + sparse_b;
 
        // The sum needs normalization. In the circuit, this is done via plookup.
        // For native testing, we can verify digit-by-digit:
        // Each digit d in sparse_sum should normalize to (d % 2)
        uint256_t normalized = 0;
        uint256_t power = 1;
        uint256_t temp = sparse_sum;
 
        for (size_t i = 0; i < 8; ++i) {
            uint64_t digit = (temp % AES_SPARSE_BASE).data[0];
            uint64_t normalized_digit = digit % 2; // even→0, odd→1
            normalized += power * normalized_digit;
            power *= AES_SPARSE_BASE;
            temp /= AES_SPARSE_BASE;
        }
 
        // Convert normalized result back to byte
        uint64_t actual_xor = numeric::map_from_sparse_form<AES_SPARSE_BASE>(normalized);
 
        EXPECT_EQ(actual_xor, expected_xor) << "Sparse XOR failed for 0x" << std::hex << (int)a << " ^ 0x" << (int)b
                                            << ": expected 0x" << (int)expected_xor << ", got 0x" << actual_xor;
    }
}
 
TEST(stdlib_aes128_sparse, sparse_form_lookup_table)
{
    using field_ct = stdlib::field_t<UltraCircuitBuilder>;
    using witness_ct = stdlib::witness_t<UltraCircuitBuilder>;
    using plookup_read = stdlib::plookup_read<UltraCircuitBuilder>;
 
    auto builder = UltraCircuitBuilder();
 
    // Take an input to the AES (16 bytes)
    uint8_t lhs[16] = {
        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
    };
    uint8_t rhs[16] = {
        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
    };
 
    uint8_t expected_xor[16];
    for (size_t i = 0; i < 16; ++i) {
        expected_xor[i] = lhs[i] ^ rhs[i];
    }
 
    field_ct expected_xor_field = witness_ct(&builder, fr(convert_bytes_to_uint256(expected_xor)));
 
    // pack the 16 bytes into a field_ct
    field_ct lhs_field = witness_ct(&builder, fr(convert_bytes_to_uint256(lhs)));
    field_ct rhs_field = witness_ct(&builder, fr(convert_bytes_to_uint256(rhs)));
 
    // Now use the AES input table to convert lhs and rhs to sparse form using the AES input table
    std::array<field_ct, 16> lhs_sparse_fields = stdlib::aes128::convert_into_sparse_bytes(&builder, lhs_field);
    std::array<field_ct, 16> rhs_sparse_fields = stdlib::aes128::convert_into_sparse_bytes(&builder, rhs_field);
 
    // Add the sparse fields together
    for (size_t i = 0; i < 16; ++i) {
        lhs_sparse_fields[i] = lhs_sparse_fields[i] + rhs_sparse_fields[i];
        // Normalize the result
        lhs_sparse_fields[i] = plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, lhs_sparse_fields[i]);
    }
    auto output_bytes = stdlib::aes128::convert_from_sparse_bytes(&builder, std::span{ lhs_sparse_fields });
 
    output_bytes.assert_equal(expected_xor_field);
 
    EXPECT_TRUE(CircuitChecker::check(builder));
    EXPECT_FALSE(builder.failed());
}
 
TEST(stdlib_aes128_sparse, sparse_xor_circuit)
{
    using field_ct = stdlib::field_t<UltraCircuitBuilder>;
    using witness_ct = stdlib::witness_t<UltraCircuitBuilder>;
    using plookup_read = stdlib::plookup_read<UltraCircuitBuilder>;
 
    auto builder = UltraCircuitBuilder();
 
    // Test cases: pairs of bytes and their expected XOR
    std::vector<std::tuple<uint8_t, uint8_t, uint8_t>> test_cases = {
        { 0x00, 0x00, 0x00 }, { 0xFF, 0xFF, 0x00 }, { 0xAA, 0x55, 0xFF },
        { 0x12, 0x34, 0x26 }, { 0x2b, 0x6b, 0x40 }, // key[0] XOR plaintext[0] from NIST vectors
    };
 
    for (const auto& [a, b, expected] : test_cases) {
        // Convert bytes to sparse form
        uint256_t sparse_a = numeric::map_into_sparse_form<AES_SPARSE_BASE>(a);
        uint256_t sparse_b = numeric::map_into_sparse_form<AES_SPARSE_BASE>(b);
 
        // Create circuit witnesses
        field_ct field_a = witness_ct(&builder, fr(sparse_a));
        field_ct field_b = witness_ct(&builder, fr(sparse_b));
 
        // Add in circuit (this is the XOR operation before normalization)
        field_ct sum = field_a + field_b;
 
        // Normalize via plookup (this completes the XOR)
        field_ct normalized = plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, sum);
 
        // Convert result back to byte and verify
        uint64_t sparse_result = uint256_t(normalized.get_value()).data[0];
        uint8_t actual = static_cast<uint8_t>(numeric::map_from_sparse_form<AES_SPARSE_BASE>(sparse_result));
 
        EXPECT_EQ(actual, expected) << "Circuit sparse XOR failed for 0x" << std::hex << (int)a << " ^ 0x" << (int)b;
    }
 
    EXPECT_TRUE(CircuitChecker::check(builder));
}
 
TEST(stdlib_aes128_sparse, sparse_multi_xor_circuit)
{
    using field_ct = stdlib::field_t<UltraCircuitBuilder>;
    using witness_ct = stdlib::witness_t<UltraCircuitBuilder>;
    using plookup_read = stdlib::plookup_read<UltraCircuitBuilder>;
 
    auto builder = UltraCircuitBuilder();
 
    // Test 3-way and 4-way XOR
    uint8_t a = 0x12, b = 0x34, c = 0x56, d = 0x78;
 
    // Expected results
    uint8_t expected_3way = a ^ b ^ c;     // 0x12 ^ 0x34 ^ 0x56 = 0x70
    uint8_t expected_4way = a ^ b ^ c ^ d; // 0x12 ^ 0x34 ^ 0x56 ^ 0x78 = 0x08
 
    // Convert to sparse form
    field_ct sparse_a = witness_ct(&builder, fr(numeric::map_into_sparse_form<AES_SPARSE_BASE>(a)));
    field_ct sparse_b = witness_ct(&builder, fr(numeric::map_into_sparse_form<AES_SPARSE_BASE>(b)));
    field_ct sparse_c = witness_ct(&builder, fr(numeric::map_into_sparse_form<AES_SPARSE_BASE>(c)));
    field_ct sparse_d = witness_ct(&builder, fr(numeric::map_into_sparse_form<AES_SPARSE_BASE>(d)));
 
    // 3-way XOR: add all three, then normalize
    field_ct sum_3way = sparse_a + sparse_b + sparse_c;
    field_ct normalized_3way = plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, sum_3way);
 
    uint64_t sparse_result_3way = uint256_t(normalized_3way.get_value()).data[0];
    uint8_t actual_3way = static_cast<uint8_t>(numeric::map_from_sparse_form<AES_SPARSE_BASE>(sparse_result_3way));
    EXPECT_EQ(actual_3way, expected_3way) << "3-way sparse XOR failed";
 
    // 4-way XOR: add all four, then normalize
    field_ct sum_4way = sparse_a + sparse_b + sparse_c + sparse_d;
    field_ct normalized_4way = plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, sum_4way);
 
    uint64_t sparse_result_4way = uint256_t(normalized_4way.get_value()).data[0];
    uint8_t actual_4way = static_cast<uint8_t>(numeric::map_from_sparse_form<AES_SPARSE_BASE>(sparse_result_4way));
    EXPECT_EQ(actual_4way, expected_4way) << "4-way sparse XOR failed";
 
    EXPECT_TRUE(CircuitChecker::check(builder));
}
 
TEST(stdlib_aes128_sparse, sparse_addition_limit)
{
    using field_ct = stdlib::field_t<UltraCircuitBuilder>;
    using witness_ct = stdlib::witness_t<UltraCircuitBuilder>;
    using plookup_read = stdlib::plookup_read<UltraCircuitBuilder>;
 
    auto builder = UltraCircuitBuilder();
 
    // Add 8 copies of 0xFF (all bits set)
    // Each digit will be 8 (the maximum safe value in base-9)
    uint8_t value = 0xFF;
    field_ct sparse_value = witness_ct(&builder, fr(numeric::map_into_sparse_form<AES_SPARSE_BASE>(value)));
 
    field_ct accumulated = sparse_value;
    for (size_t i = 1; i < 8; ++i) {
        accumulated = accumulated + sparse_value;
    }
 
    // XOR of 8 copies of 0xFF = 0x00 (even count = all zeros)
    field_ct normalized = plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, accumulated);
 
    uint64_t sparse_result = uint256_t(normalized.get_value()).data[0];
    uint8_t actual = static_cast<uint8_t>(numeric::map_from_sparse_form<AES_SPARSE_BASE>(sparse_result));
 
    EXPECT_EQ(actual, 0x00) << "8-way XOR of 0xFF should be 0x00";
 
    // Add 7 copies of 0xFF = 0xFF (odd count = all ones)
    field_ct accumulated_7 = sparse_value;
    for (size_t i = 1; i < 7; ++i) {
        accumulated_7 = accumulated_7 + sparse_value;
    }
 
    field_ct normalized_7 = plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, accumulated_7);
 
    uint64_t sparse_result_7 = uint256_t(normalized_7.get_value()).data[0];
    uint8_t actual_7 = static_cast<uint8_t>(numeric::map_from_sparse_form<AES_SPARSE_BASE>(sparse_result_7));
 
    EXPECT_EQ(actual_7, 0xFF) << "7-way XOR of 0xFF should be 0xFF";
 
    EXPECT_TRUE(CircuitChecker::check(builder));
}
 
TEST(stdlib_aes128_sparse, sparse_addition_overflow)
{
    using field_ct = stdlib::field_t<UltraCircuitBuilder>;
    using witness_ct = stdlib::witness_t<UltraCircuitBuilder>;
    using plookup_read = stdlib::plookup_read<UltraCircuitBuilder>;
 
    auto builder = UltraCircuitBuilder();
 
    // Add 9 copies of 0xFF (all bits set)
    // Each digit will be 9 (the minimum value to overflow)
    uint8_t value = 0xFF;
    field_ct sparse_value = witness_ct(&builder, fr(numeric::map_into_sparse_form<AES_SPARSE_BASE>(value)));
 
    field_ct accumulated = sparse_value;
    for (size_t i = 1; i < 9; ++i) {
        accumulated = accumulated + sparse_value;
    }
 
    // 9-way addition of 0xFF overflows base-9 sparse form (digit value 9 >= base)
    // This should throw an exception because the value exceeds the lookup table range
    EXPECT_THROW(plookup_read::read_from_1_to_2_table(plookup::AES_NORMALIZE, accumulated), std::runtime_error)
        << "9-way XOR of 0xFF should overflow and throw";
}